How to Be Secure on the Web

This September, MiddCreate will officially launch for the Middlebury community! It provides spaces on the web that allow students, faculty, and staff to create and develop their digital identity using open source online applications. As we explore this new set of tools, it’s easy to get swept up in the excitement of having your own domain and forget the risks that come with that freedom.

Managing your own content means you must also take responsibility for the security of your sites. It’s tempting to procrastinate about web security because let’s be honest, it seems tedious and boring. We all wish there were one-click, set-it-and-forget-it solutions, but think of it this way: if your domain is an empty garden plot, waiting for you to plant whatever you like, it’s going to need regular tending and care to flourish.

Being proactive about web safety can help you avoid the unpleasant experience of being hacked, saving you a ton of time and trouble. Below I’ve listed some advice to help you understand the threats to self-hosted sites and how to defend them from hackers. Of course, these are just the basics, so check the resource links at the bottom of the page for more in-depth information.


How and why do sites get attacked?

hacks-1280x600

You may wonder why anyone would be interested in hacking your little site, especially if it doesn’t contain any sensitive information or have a very large readership. The truth is most hacks are not done by people, but networks of automated bots that crawl the web looking for vulnerable openings.

If there is an opportunity, they’ll take advantage of it to use your site to infect visitors’ computers with malware, redirect them to generate income, or simply make use of your server to launch further attacks. So, how do hackers get into a site? Most attacks are a result of vulnerabilities in the hosting platform, flaws in the themes or plugins installed, or weak passwords.

Of all the applications available on MiddCreate, WordPress accounts for 65% of the installations people have made so far. WordPress is also one of the most popular targets for hackers. Why? One obvious reason is because it’s so widely used, but also because its open source nature and unlimited, customizable features can expose sites to attack. Most of the tips in this article can apply to any application you install on your domain, but some will focus specifically on hardening WordPress.

How to keep your site safe

Backlit keyboard

Keep Regular Backups

Always backup everything! Prepare for the worst so that even if your site gets hacked, you’ll be able to restore it. Seriously, if you think you’ll forget, set up a reminder in your calendar right now to make sure it gets done. The cPanel has a Backup Wizard that lets you easily backup and restore all or parts of your domain files and databases.backup wizard

A full backup will create an archive of all the files and configurations on your website. You can only use this to move your account to another server, or to keep a local copy of your files. You can’t restore full backups through your cPanel interface. In order to restore files, you’ll need to download partial backups.

Secure Your Login

Preventing hackers from cracking your login using trial-and-error brute force attacks can be as simple as setting up some additional security layers and maintaining good password habits.

  • Create a strong password: it should be long, complex (include numbers and special characters) and unique for each site. If you have trouble coming up with one, use a password generator or passphrase (such as an unusual sentence, memorable poetry/movie lines, or summary of a quirky event from your life)
  • Make other users do the same (if you can) by changing your settings to force strong passwords
  • Store your passwords in a secure place, such as a password manager (e.g Roboform, KeePass, LastPass, 1Password, or Dashlane)
  • Limit login attempts
  • Use two-step authentication so that you can only log in to your account if you also have access to your cell phone or social network credentials
  • In WordPress, avoid using the “admin” username, which is a common default and often targeted by hackers. You can also set your display name to something different than your actual username by going to Users on the lefthand sidebar menu from your Dashboard. Learn more about password and username security on WordPress in this video from WMUP DEV.

Choose Plugins and Themes Wisely

A high percentage of attacks occur due to vulnerabilities in plugins and themes. Only use up-to-date plugins and themes with well-written code by trusted developers.

  • Choose from products available in an application’s plugin and theme browsers. Look for ones with a high rating from a decent amount of users. If you’re unsure about its quality, click on ‘More Details’ or the author names to do more research. Check out the author’s history and assess their security measures. Look for stamps of confidence issued by reputable security solution providers or other evidence that the product has been submitted for a code auditplugins
  • Plugins with a high number of installs could potentially be greater targets, but also likely to have better documentation, support, and have security issues reported quicker
  • Look for plugins that are properly maintained: check when it was last updated (the more recently the better) and whether it’s compatible with your version of WordPress before downloading
  • Delete every plugin and theme on your site that isn’t strictly necessary. To delete a theme in WordPress, go to Appearance > Theme, then click on ‘Theme Details’ and hit ‘Delete’ in the lower right corner
  • Add security plugins that will configure a range of security options for you (e.g. WordFence for WordPress). You can also use free security scans that will look through your site’s code for malicious scripts
  • Keep up-to-date: many minor updates specifically address vulnerabilities, so make sure you have the latest versions of everything you use. It’s always a good idea to perform plugin and theme updates manually to avoid accidentally breaking the functionality of your site

Manage User and Access Permissions

A benefit of managing your own site is being able to control every aspect of how visitors and users interact with it. It’s very important to configure these permissions when you first set it up.

  • Review your site’s access permissions to edit how much outside visitors and users can see and do in your site. Typically you can assign users different “roles” with varying levels of privileges. For example, there are six user roles available in WordPress
  • Disable or limit open registration: this is extremely important if you’re using an application like DokuWiki that allows visitors to join and contribute content
  • Require a CAPTCHA (e.g. for access, page editing, contributions, etc.) to fend off bots

** Fun trivia fact! CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”.

From xkcd.com

Additional Resources

** If you want to really lock down your sites, some of these links include more advanced, technical methods you can employ if you’re comfortable working with code and files in the cPanel. I wouldn’t recommend trying most of them unless you are confident that you know how to reverse it if something goes wrong. Remember, when in doubt, always backup first!